1. 时间同步:1.1在PIX525同步：clock timezone GMT 8ntp server 172.16.1.11.2在ASA5520同步：clock timezone GMT 8ntp server 172.16.1.12. 关闭一些配置：2.1 sql inspect/fixup在ASA5520上：config tpolicy-map global_policyclass inspection_default no inspect sqlnet在PIX525 上：Config tno fixup protocol sqlnet 1521测试现有的业务迁移oralce数据库服务器到重要服务器区域2.2 tcp nora norandomseq1.首先关闭第一个防火墙的tcp数据包序列号随机编序，tcp数据包序列号随机编序默认是打开的，流量经2个防火墙时2次随机编序会使链接出问题（在PIX525上做）nat (inside) 2 172.16.1.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.3.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.6.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.8.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.98.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.99.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.100.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.150.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.200.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.201.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.203.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.205.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.206.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.16.208.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.209.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.210.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.211.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.212.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.213.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.215.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.216.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.218.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.219.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.220.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.16.221.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.20.0.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.20.32.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.20.64.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.20.65.0 255.255.255.0 0 0 norandomseq nat (inside) 2 172.20.66.0 255.255.255.0 0 0 norandomseqnat (inside) 2 172.20.68.0 255.255.255.0 0 0 norandomseqstatic (dmz,outside) *.*.158.179 *.*.158.179 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.178 *.*.158.178 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.185 *.*.158.185 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.186 *.*.158.186 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.187 *.*.158.187 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.188 *.*.158.188 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.189 *.*.158.189 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) *.*.158.190 *.*.158.190 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) gdftcvpn gdftcvpn netmask 255.255.255.255 0 0 norandomseqstatic (dmz,outside) gdftcfundapp01 gdftcfundapp01 netmask 255.255.255.255 00 norandomseqstatic (dmz,outside) gdftcfundapp02 gdftcfundapp02 netmask 255.255.255.255 00 norandomseqstatic (inside,dmz) oracle01 oracle01 netmask 255.255.255.255 0 0 norandomseq static (inside,dmz) oracle02 oracle02 netmask 255.255.255.255 0 0 norandomseq static (inside,dmz) p520a p520a netmask 255.255.255.255 0 0 norandomseq static (inside,dmz) p520b p520b netmask 255.255.255.255 0 0 norandomseq以下内容需要回复才能看到2. 第二个asa没有用地址转换，看看地址转换功能是否已经关闭。

这条命令是不显示在配置里的（no nat-control）2.3 out of order (在ASA5520上操作)access-list CONNS permit ip any host 10.1.1.1class-map connsmatch access-list CONNSpolicy-map connsclass connsset connection random-sequence-number disableservice-policy conns interface outsideaccess-list OOB-nets permit ip host *.*.158.181 host 172.16.99.1tcp-map OOO-Bufferqueue-limit 6class-map tcp-optionsmatch access-list OOB-netspolicy-map global_policyclass tcp-optionsset connection advanced-options OOO-Bufferservice-policy global_policy global3. 抓包（连续3次写操作全过程）3.1在PIX的inside，dmz接口a)Logging onLogging host 172.16.200.100Clear connClear xlateb)access-list tac_capture permit ip host *.*.158.181 host 172.16.99.1access-list tac_capture permit ip host 172.16.99.1 host *.*.158.181caprure tac_capture access-list tac_capture 10000000capture tac_capture intreface dmz interface insidecapture tac_capture access-list tac_capture interface inside interface dmz c)show captureshow syslogshow connshow xlateshow localhostshow asp dropshow service-policyshow routeshow capture tac_captureshow localhost 172.16.99.1show localhost *.*.158.181d)copy /pcap capture:tac_capture_inside tftp:172.17.200.100/tac_capture_inside.pcapcopy/pcap capture:tac_capture_dmz tftp:172.16.200.100/tac_capture_dmz.pcape)clear capture tac_captureno capture tac_captureno capture tac_capture intreface dmz interface insideno capture tac_capture access-list tac_capture3.2在ASA5520的inside,outside接口a)logging onlogging timestamplogging trap informationlogging host inside 172.16.99.100Clear connClear xlateb)access-list tac_capture permit ip host *.*.158.181 host172.16.99.1access-list tac_capture permit ip host 172.16.99.1 host *.*.158.181capture tac_capture_inside access-list tac_capture interface insidecapture tac_capture_outside access-list tac_capture interface outsidecaprure tac_capture access-list tac_capture 10000000c)show captureshow syslogshow connshow xlateshow localhostshow asp dropshow service-policyshow routeshow capture tac_captureshow localhost 172.16.99.1show localhost *.*.158.181d)copy/pcap capture:tac_capture_inside tftp:172.17.99.100/tac_capture_inside.pcap copy /pcap capture:tac_capture_outsidetftp:172.16.99.100/tac_capture_outside.pcape)clear capture tac_captureno capture tac_captureno capture tac_capture intreface dmz interface insideno capture tac_capture access-list tac_capture4. 在weblogic网卡所接的交换机做spanSw-DMZ交换机（f 0/2，接一台PC在安装etherPeek NX软件和Vinancy网络分析系统）configure terminalmonitor session 1 source interface fastethernet 0/24monitor session 1 destination interface fastethernet 0/25. 在oracle数据库网卡所接的交换机做spanSw-3560G48交换机（G 0/2，接一台PC在安装etherPeek NX软件和Vinancy网络分析系统）configure terminalmonitor session 1 source interface G 0/3monitor session 1 destination interface G 0/2。